Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Queue Server Side Encryption

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)
Rule ID: SQS-004

Ensure that your Amazon Simple Queue Service (SQS) queues are protecting the contents of their messages with Server-Side Encryption (SSE). Amazon SQS service uses a KMS Customer Master Key (CMK) to generate data keys required for the encryption/decryption process of the SQS messages. There is no additional charge for using SQS Server-Side Encryption, however, there is a charge for using Amazon KMS.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you are using Amazon SQS queues to send and receive messages that contain sensitive data, it is highly recommended to implement data encryption in order to make the contents of these messages unavailable to unauthorized or anonymous users. The encryption and decryption is handled transparently by SQS Server-Side Encryption (SSE) and does not require any additional action from you or your application.

Audit

To determine if Server-Side Encryption (SSE) is enabled for your Amazon SQS queues, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SQS console at https://console.aws.amazon.com/sqs/.

03 In the main navigation panel, under Amazon SQS, choose Queues.

04 Click on the name (link) of the SQS queue that you want to examine.

05 Select the Encryption tab from the console bottom panel and check the Server-Side Encryption (SSE) feature configuration. If there is no SSE configuration available in this section, instead and the following message is displayed: "No server-side encryption is set for this queue.", Server-Side Encryption is not enabled for the selected Amazon SQS queue, therefore your SQS data at-rest is not encrypted on Amazon SQS servers.

06 Repeat steps no. 4 and 5 for each Amazon SQS queue available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-queues command (OSX/Linux/UNIX) to list the URL of each Amazon SQS queue available in the selected AWS cloud region: 

aws sqs list-queues
  --region us-east-1
  --query 'QueueUrls[*]'

02 The command output should return an array with the requested SQS queue URLs: 

[
    "https://sqs.us-east-1.amazonaws.com/123456789012/cc-web-app-worker",
    "https://sqs.us-east-1.amazonaws.com/123456789012/cc-mobile-app-queue"
]

03 Run get-queue-attributes command (OSX/Linux/UNIX) using the URL of the SQS queue that you want to examine as the identifier parameter and custom query filters to determine if the Server-Side Encryption (SSE) feature is enabled for the selected SQS queue: 

aws sqs get-queue-attributes
  --region us-east-1
  --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/cc-web-app-worker
  --attribute-names "SqsManagedSseEnabled" "KmsMasterKeyId"
  --query 'Attributes'

04 The command output should return the requested configuration information (i.e. the SSE-SQS configuration flag or the KMS key ID): 

{
  "SqsManagedSseEnabled": "false"
}

If the get-queue-attributes command output returns "SqsManagedSseEnabled": "false", as shown in the output example above, Server-Side Encryption (SSE-KMS or SSE-SQS) is not enabled for the selected Amazon SQS queue, therefore your SQS data is not encrypted at rest on Amazon SQS servers.

05 Repeat steps no. 3 and 4 for each Amazon SQS queue available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable Server-Side Encryption (SSE) for your existing Amazon SQS queues, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable Server-Side Encryption (SSE)",
  "Parameters": {
    "SQSQueueName": {
      "Default": "cc-worker-queue",
      "Description": "SQS Worker Queue",
      "Type": "String",
      "MinLength": "1",
      "MaxLength": "63",
      "AllowedPattern": "^[0-9a-zA-Z-/]*$",
      "ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens."
    }
  },
  "Resources": {
    "SQSDeadLetterQueue": {
      "Type": "AWS::SQS::Queue"
    },
    "SQSSourceQueue": {
      "Type": "AWS::SQS::Queue",
      "Properties": {
        "QueueName": {
          "Ref": "SQSQueueName"
        },
        "RedrivePolicy": {
          "deadLetterTargetArn": {
            "Fn::GetAtt": ["SQSDeadLetterQueue", "Arn"]
          },
          "maxReceiveCount": 5
        },
        "KmsMasterKeyId": "alias/aws/sqs",
        "KmsDataKeyReusePeriodSeconds": 300
      }
    }
  }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Server-Side Encryption (SSE)
Parameters:
  SQSQueueName:
    Default: cc-worker-queue
    Description: SQS Worker Queue
    Type: String
    MinLength: '1'
    MaxLength: '63'
    AllowedPattern: ^[0-9a-zA-Z-/]*$
    ConstraintDescription: Must begin with a letter and must not end with a hyphen
      or contain two consecutive hyphens.
Resources:
  SQSDeadLetterQueue:
    Type: AWS::SQS::Queue
  SQSSourceQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: !Ref 'SQSQueueName'
      RedrivePolicy:
        deadLetterTargetArn: !GetAtt 'SQSDeadLetterQueue.Arn'
        maxReceiveCount: 5
      KmsMasterKeyId: alias/aws/sqs
      KmsDataKeyReusePeriodSeconds: 300

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}


resource "aws_sqs_queue" "sqs-queue-deadletter" {
  name = "cc-dead-letter-queue"
}

resource "aws_sqs_queue" "sqs-queue" {
  name                  = "sqs-worker-queue"
  redrive_policy = jsonencode({
    deadLetterTargetArn = aws_sqs_queue.sqs-queue-deadletter.arn
    maxReceiveCount     = 5
  })

  # Enable Server-Side Encryption (SSE-KMS)
  kms_master_key_id                 = "alias/aws/sqs"
  kms_data_key_reuse_period_seconds = 300

  # Enable Server-Side Encryption (SSE-SQS)
  # sqs_managed_sse_enabled = true
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SQS console at https://console.aws.amazon.com/sqs/.

03 In the main navigation panel, under Amazon SQS, choose Queues.

04 Click on the name (link) of the SQS queue that you want to reconfigure.

05 Select the Encryption tab from the console bottom panel and choose Edit.

06 On the Edit <queue-name> configuration page, select the Encryption – Optional tab and perform the following operations:

  1. Select Enabled under Server-side encryption to turn on the Server-Side Encryption (SSE) feature.
  2. For Encryption key type select one of the following options:
    • To use the AWS-managed key created for Amazon SQS (i.e. SSE-SQS), select Amazon SQS key (SSE-SQS). The Amazon KMS service creates this AWS-managed key the first time when you request it.
    • To use a KMS Customer Master Key (CMK), select AWS Key Management Service key (SSE-KMS). Choose the desired CMK from the Customer master key dropdown list or select Enter the CMK alias and paste your key alias into the CMK alias box.
  3. (Optional) For Data key reuse period, provide a value between 1 minute and 24 hours.
  4. Choose Save to apply the configuration changes.

07 Repeat steps no. 4 – 6 to enable Server-Side Encryption (SSE) for other Amazon SQS queues available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Define the required parameters for the set-queue-attributes command and save them to a JSON file named cc-enable-sse.json. Based on the encryption key type used (AWS-managed or KMS CMK), choose to define one of the following set of parameters:

  1. To use the AWS-managed key created for Amazon SQS (i.e. SSE-SQS): 
    {
  "SqsManagedSseEnabled": "true"
}
  2. To use a KMS Customer Master Key (CMK). Replace <kms-cmk-arn> with the ARN of the desired Customer Master Key (CMK): 
    {
  "KmsMasterKeyId": "<kms-cmk-arn>",
  "KmsDataKeyReusePeriodSeconds": "300"
}

02 Run set-queue-attributes command (OSX/Linux/UNIX) using the URL of the Amazon SQS queue that you want to reconfigure as the identifier parameter and the policy document defined at the previous step (i.e. cc-enable-sse.json), to enable Server-Side Encryption (SSE) for the selected SQS queue (the command does not produce an output): 

aws sqs set-queue-attributes
  --region us-east-1
  --queue-url https://sqs.us-east-1.amazonaws.com/123456789012/cc-web-app-worker
  --attributes file://cc-enable-sse.json

03 Repeat steps no. 1 and 2 to enable Server-Side Encryption (SSE) for other Amazon SQS queues available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the Remediation process for other regions.

References

Publication date May 7, 2017

Related SQS rules